AWS NAT Gateway vs. NAT Instance

Apr 4, 2024 · 2 mins read
AWS NAT Gateway vs. NAT Instance

AWS defines private subnets as those without public internet access - that is, with no route to an Internet Gateway. While this is a great place for your precious resources to live, unreachable from the pubilc internet, the reality is that these instances sometimes need public internet access for things like installing or updating software or communicating with other services.

To grant your private resources access to the public internet, you can move them to a public subnet (one that has a route to an Internet Gateway), or perform some kind of Network Address Translation (NAT). If you’re reading this, it’s probably because simply moving your resources to a public subnet isn’t an option. Fortunately, AWS has two different solutions for NAT in a private VPC; unfortunately, neither of them are free.

You can see the official NAT Gateway vs. NAT Instance comparison here.

NAT Gateway

The NAT Gateway is a high-availability, AWS-managed service that’s basically set-and-forget. For this convenience, you’ll pay a higher price than with the EC2-based NAT Instance.

The NAT Gateway is billed at $0.045/hr (us-east-1) plus $0.045/GB of traffic (us-east-1), plus the normal data transfer charges.

A pair of idle NAT Gateways (say, one in each of two private subnets) will cost about $33.75/mo each. With only a couple GBs of data, the bandwidth charge is nil: $0.045 for 1GB or $0.450 for 10GB.

NAT Instance

AWS used to provide an Amazon Machine Image (AMI) for deploying NAT Instances with a single click; however, now you have to roll your own.

In addition to using just the normal EC2 pricing model, NAT Instances offer the advantage of being able to use them as a bastion host. A bastion host is a secure instance with one foot in the private network and one foot in the public internet. It therefore allows developers or administrators to connect to private backend instances from the public internet, via the bastion-host-slash-NAT-instance.

Upshot

Choosing between a NAT Gateway and a NAT Instance depends on your needs for convenience, cost, and dual functionality as a bastion host. Both options provide effective solutions for enabling internet access to resources within private subnets, with their own sets of advantages and associated costs.

Organizations sensitive to cost would be wise to quantify their data transfer rates (GB/month). They may find that their high usage justifies deploying their own NAT Instances to save on the NAT Gateway transfer costs.

If you have questions about your AWS architecture, please don’t hesitate to reach out to us on AWS IQ or at hello@silentwave.systems.

Sharing is caring!